Skipfish
This seems to be my month to try out new tools (Jim Clausing would be happy with me), and I'm running another new one as I speak. This one is a web vulnerability scanner called skipfish. It runs on Linux, FreeBSD, MacOSX or Windows, so I'm, of course, running it on one of my *nix test boxes (I don't do security tools on Windows if I can help it). Downloaded the tarball, extracted it, and compiled after installing the one dependency the README said I'd probably need, GNU libidn (funny thing, how reading that documentation always seems to make these installs go smoother!)
I'm running it against a NetSec box, so I created an empty dictionary and used -L to disable brute forcing of extensions it found, which if I read the docs right, means I'll just get a nice crawl the first time through. Anyway, it's been mentioned on the SANS lists and even posted on the Storm Center diary. That in of itself is enough of a recommendation that I'd give it a test run, if you need a web test tool (maybe a pen tester or you're responsible for hardening/protecting web servers).
Get it here if you're interested...
I'm running it against a NetSec box, so I created an empty dictionary and used -L to disable brute forcing of extensions it found, which if I read the docs right, means I'll just get a nice crawl the first time through. Anyway, it's been mentioned on the SANS lists and even posted on the Storm Center diary. That in of itself is enough of a recommendation that I'd give it a test run, if you need a web test tool (maybe a pen tester or you're responsible for hardening/protecting web servers).
Get it here if you're interested...